latentbot | 884f371bc0234626363d1ae84089fe785e86e5748334a0cb53902c5791eb272d | Triage

Sharing

General

Target

c0a450f06575f4a463c486c8cdf69775_JaffaCakes118
Size

434KB
Sample

240825-njeg9atdnr
MD5

c0a450f06575f4a463c486c8cdf69775
SHA1

7d8c6bf41f812c22bc4813a2a26b65c812d9add6
SHA256

884f371bc0234626363d1ae84089fe785e86e5748334a0cb53902c5791eb272d
SHA512

d4ae65557644f27f1544547f43c58b81f4498ab1e4d95cb0a95b2d810699c495e2091623422635f32d4d4965a4b6d336e33a19306aeb262aeeb3fba407551894
SSDEEP

12288:+AcEXkELYWiTVxqvf1PgYHh71Nmylhyl:BBXkYH4xqvf1PjB71Eylhyl

Score

10^/10

latentbot discovery evasion persistence trojan

Malware Config

Extracted

Family

latentbot

C2

teamviewersupport.zapto.org

1teamviewersupport.zapto.org

2teamviewersupport.zapto.org

3teamviewersupport.zapto.org

4teamviewersupport.zapto.org

5teamviewersupport.zapto.org

6teamviewersupport.zapto.org

7teamviewersupport.zapto.org

8teamviewersupport.zapto.org

Targets

- Target
  
  c0a450f06575f4a463c486c8cdf69775_JaffaCakes118
- Size
  
  434KB
- MD5
  
  c0a450f06575f4a463c486c8cdf69775
- SHA1
  
  7d8c6bf41f812c22bc4813a2a26b65c812d9add6
- SHA256
  
  884f371bc0234626363d1ae84089fe785e86e5748334a0cb53902c5791eb272d
- SHA512
  
  d4ae65557644f27f1544547f43c58b81f4498ab1e4d95cb0a95b2d810699c495e2091623422635f32d4d4965a4b6d336e33a19306aeb262aeeb3fba407551894
- SSDEEP
  
  12288:+AcEXkELYWiTVxqvf1PgYHh71Nmylhyl:BBXkYH4xqvf1PjB71Eylhyl
Score

10^/10

latentbot discovery evasion persistence trojan
- LatentBot
  Modular trojan written in Delphi which has been in-the-wild since 2013.
  trojan latentbot
- Modifies firewall policy service
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Defense Evasion

Impair Defenses

Disable or Modify System Firewall

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

latentbotdiscoveryevasionpersistencetrojan

behavioral2

latentbotdiscoveryevasionpersistencetrojan